App devs everywhere, rejoice! Shopify is pleased to announce that we’re replacing our current API authentication system with one based on OAuth 2.0.

Anyone who knows anything about webapps will tell you that OAuth 2.0 is quickly becoming the de-facto standard for authenticating users against an API. Facebook, Foursquare, Google, Github, and other big names are already using it. We’ve been working on our own implementation here at Shopify for a while now, so we’re really pleased to finally make it public.

Why Use Oauth2?

Our previous authentication scheme was pretty good, but it lacked in some key areas. Primarily, it was completely custom and so the first thing a new dev would often have to do was implement our auth mechanism in their favourite environment. By implementing OAuth 2.0, developers can tie into existing auth solutions that implement the spec for them. We hope this makes getting stuck into the Shopify API much easier.

Secondly, we’re adding the ability to request granular access scope for your application. If you’ve ever used a Facebook or Twitter app, you’ve already seen this in action. We’ve divided up the API into a number of categories and apps can request read or write access to these individually. Now merchants won’t have to trust a product-related app with all their customer info for example. The available scopes are as follows:

  • Content: Blog posts, pages, comments, etc.
  • Themes: Themes and theme assets.
  • Products: Everything product-related. Images, variants, etc.
  • Customers: Customers and customer groups.
  • Orders: Orders, transactions, and fulfillments
  • Script Tags
  • Shipping: Coming Soon!

Related to this, you can also change the scopes you ask for as your app functionality evolves. You’ll need merchants to approve the changes of course, but it’s a lot more flexible. A full scope reference is available in our documentation.

What This Change Means

If you’re the owner of an app that uses the old auth system (i.e. everyone at the moment), don’t worry! The old system isn’t going to be going away any time soon. We're phasing it out eventually, but there will be lots and lots of notice before we do that.

One thing that is going to change is that new apps are going to be required to use Oauth 2.0 starting soon. We’re  leaving both options up for a short while so that the authors of our various community API clients have time to update their libraries but after that it’s Oauth all the way down.

Resources

We’ve updated our technical docs with new instructions on how to get up and running with the new auth scheme. Read this page throughly before you get started.

There’s already an updated version of the shopify_api gem available that works with Oauth 2.0. We’re working on converting the shopify_app gem as well as bringing our other official adapters up to date. There’s also an omniauth solution available here.

Feedback

We’d love to hear what you think of the new changes. You can leave a comment on this blog post or head over to our developer mailing list and discuss it there.